DOCSLIB.ORG

Public Key Certification Service for Qualified Electronic Signatures

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Public Key Certification Service for Qualified Electronic Signatures PUBLIC KEY CERTIFICATION SERVICE FOR QUALIFIED ELECTRONIC SIGNATURES PUBLIC KEY INFRASTRUCTURE (PKI) CERTIFICATION PRACTICE STATEMENT CERTIFICATE POLICY Version 1.3 - 30/10/2020 1. INTRODUCTION ......................................................................................................................................... 9 1.1 Overview ................................................................................................................................................ 9 1.2 Document name and identification ....................................................................................................... 10 1.3 PKI participants .................................................................................................................................... 11 1.3.1 Certification authorities ................................................................................................................. 11 1.3.2 Registration authorities ................................................................................................................. 12 1.3.3 Signatories and third parties ......................................................................................................... 14 1.3.4 Relying parties .............................................................................................................................. 16 1.3.5 Other participants ......................................................................................................................... 16 1.4 Certificate usage .................................................................................................................................. 16 1.5 Policy administration ............................................................................................................................ 17 1.6 Definitions and acronyms ..................................................................................................................... 17 2 PUBLICATION AND REPOSITORY RESPONSIBILITIES ........................................................................ 18 3 IDENTIFICATION AND AUTHENTICATION ............................................................................................. 19 3.1 Naming ................................................................................................................................................. 19 3.2 Initial identity validation ........................................................................................................................ 19 3.3 Identification and authentication for re-key requests ............................................................................ 20 3.4 Identification and authentication for revocation request ....................................................................... 21 4 CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS ............................................................. 22 4.1 Certificate Application ........................................................................................................................... 22 4.2 Certificate application processing ......................................................................................................... 23 4.3 Certificate issuance .............................................................................................................................. 23 4.4 Certificate acceptance .......................................................................................................................... 24 4.5 Key pair and certificate usage .............................................................................................................. 25 4.6 Certificate renewal ................................................................................................................................ 26 4.7 Certificate re-key .................................................................................................................................. 26 4.8 Certificate modification ......................................................................................................................... 27 4.9 Certificate revocation and suspension .................................................................................................. 28 4.10 Certificate status services .................................................................................................................. 32 4.11 End of subscription ............................................................................................................................ 32 4.12 Key escrow and recovery of CA keys ................................................................................................ 33 5 FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS .............................................................. 34 5.1 Physical controls .................................................................................................................................. 34 5.1.1 Site location and construction....................................................................................................... 34 5.1.2 Physical access ............................................................................................................................ 34 5.1.3 Power and air conditioning ........................................................................................................... 35 5.1.4 Water exposures .......................................................................................................................... 35 5.1.5 Fire prevention and protection ...................................................................................................... 35 5.1.6 Media storage ............................................................................................................................... 35 5.1.7 Waste disposal ............................................................................................................................. 36 5.1.8 Off-site backup ............................................................................................................................. 36 5.2 Procedural controls .............................................................................................................................. 36 5.3 Personnel controls ................................................................................................................................ 38 5.4 Audit logging procedures ...................................................................................................................... 39 5.5 Records archival ................................................................................................................................... 39 Version 1.3 - 30/10/2020 2 5.6 Key changeover ................................................................................................................................... 40 5.7 Compromise and disaster recovery ...................................................................................................... 40 5.8 CA termination ...................................................................................................................................... 41 6 TECHNICAL SECURITY CONTROLS ...................................................................................................... 42 6.1 Key pair generation and installation ..................................................................................................... 42 6.2 Private Key Protection and Cryptographic Module Engineering Controls ............................................. 44 6.3 Other aspects of key pairs management .............................................................................................. 46 6.4 Activation data ...................................................................................................................................... 46 6.5 Computer security controls ................................................................................................................... 47 6.6 Life Cycle Security Controls ................................................................................................................. 48 6.7 Network Security Controls .................................................................................................................... 48 6.8 Time-stamping ...................................................................................................................................... 50 7 CERTIFICATE, CRL, AND OCSP PROFILES .......................................................................................... 51 7.1 Certificate profile .................................................................................................................................. 51 7.2 CRL profile ........................................................................................................................................... 58 7.3 OCSP Profile ........................................................................................................................................ 59 8 COMPLIANCE AUDIT AND OTHER ASSESSMENTS ............................................................................. 60 8.1 Frequency or circumstances of assessment ........................................................................................ 60 8.2 Identity/qualifications of assessor ........................................................................................................
Load more

Recommended publications
  • Eidas and E-SIGNATURE a LEGAL PERSPECTIVE: ELECTRONIC SIGNATURES in the EUROPEAN UNION
    eIDAS AND E-SIGNATURE A LEGAL PERSPECTIVE: ELECTRONIC SIGNATURES IN THE EUROPEAN UNION WHITE PAPER TABLE OF CONTENTS Part 1: Introduction 3 Key Highlights of the eIDAS Regulation 4 Legal Effect of Different Types of Signatures 6 Regulation of Trust Services 7 Legal Best Practices 8 Part 2: Compliance With the Regulation 9 Advanced Electronic Signatures 9 Qualified Electronic Signatures 10 Format Standards 12 Additional Evidence 12 Conclusion 13 E-Signature Solution Checklist 14 About the Authors This paper is a collaboration between Lorna Brazell of Osborne Clarke LLP and OneSpan. In part one, Osborne Clarke provides a legal opinion on the legal validity of electronic signature in the European Union. Part two has been prepared by OneSpan, and summarizes best practices recommendations for legal compliance when implementing e-signatures. eIDAS & E-SIGNATURE: A LEGAL PERSPECTIVE FOLLOW US 2 PART 1 Introduction The 2014 Regulation on Electronic Identification and Trust Services for Electronic Transaction in the Internal Market1 (“eIDAS”) went into effect throughout the European Union (“EU”) on 1 July 2016, replacing the 1999 Directive on electronic signatures2 (“the Directive”). Although the Directive had not been the subject of any disputes in its 16-year history, neither had it been a success. Its objective, to enable the widespread use of electronic signatures to conduct business across borders within the EU, was not met. There Are Three Key Reasons for This: I. Most EU Member States’ laws do not specify any form of signature for commercial contracts other than guarantees or contracts assigning real property. II. Many people mistakenly believed that the Directive mandated the use of advanced electronic signatures supported by a qualified certificate3 in order for an electronic signature to be legally effective.
    [Show full text]
  • GUIDELINES on INITIATION K& Yh >/&/ Dzh^D ^ Zs
    THE EU CYBER SECURITY AGENCY GUIDELINES ON INITIATION OF QUALIFIED TRUST SERVICES Technical guidelines on trust services DECEMBER 2017 Guidelines on Initiation of Qualified Trust Services December 2017 About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and EU citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Contact For queries in relation to this paper, please use [email protected]. For media enquires about this paper, please use [email protected]. Acknowledgements We would like to thank all those who contributed to this study and reviewed it, specifically the experts and the members of national supervisory bodies, conformity assessment bodies and various trust service providers. Legal notice Notice must be taken that this publication represents the views and interpretations of ENISA, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time.
    [Show full text]
  • Eidas Regulation Questions & Answers
    eIDAS Regulation Questions & Answers on rules applicable to Trust Services as of 1 July 2016 The eIDAS Regulation (Regulation (EU) N°910/2014) on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) adopted by the co-legislators on 23 July 2014 is a milestone as it provides a predictable regulatory environment for electronic identification and trust services, including electronic signatures, seals, time stamps, registered delivery and website authentication. As of 1 July 2016, the provisions applicable to trust services apply directly in the 28 Member States. This means that trust services under eIDAS are no longer regulated by national laws. As a result, the qualified trust services are recognised independently of the Member State where the Qualified Trust Service Provider is established or where the specific qualified trust service is offered. What’s new? What changes with regard to the former eSignature Directive? What must be done at national level? How does it impact market operators? How does it benefit the users (citizens, businesses and public administrations)? What has the Commission done to facilitate the switchover? These questions and many others have been asked along the road since the adoption. We have compiled this Q&A document to help those of you who need to fully understand the new legal framework in order to implement it or reap the benefits of electronic transactions, as well as those of you who are curious about the Regulation’s various implications. I. What is new? How will the legal effect of electronic signature change under eIDAS (compared to the regime under the eSignature Directive) as from 1 July 2016? Since 1 July 2016, when the trust services’ provisions under the eIDAS Regulation entered into application, an electronic signature can only be used by a natural person to “sign”, i.e.
    [Show full text]
  • Trusted E-ID Infrastructures and Services in EU
    Trusted e-ID Infrastructures and services in EU Recommendations for Trusted Provision of e-Government services Report, December 2013 European Union Agency for Network and Information Security www.enisa.europa.eu Trusted e-ID Infrastructures and services in EU Recommendations for Trusted Provision of e-Government services Report, December 2013 About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Authors This report has been produced by ENISA (Prof. Manel Medina and Clara Galán) in collaboration with Atos Consulting (Alejandro Elices and M. Elena Martínez B.) and with the support of EC DG Connect unit H4 and the ISPC of the JRC. Contact For contacting the authors please use [email protected] For media enquires about this paper, please use [email protected]. Acknowledgements This report has been possible thanks to the contributions of the participants in the large scale projects: EPSOS, PEPPOL (Jon Ølnes and Lefteris Leontaridis) and e-CODEX, that kindly answered the questionnaire prepared by ENISA and the contractor of this project Atos Consulting.
    [Show full text]
  • Ts 119 612 V2.2.1 (2016-04)
    ETSI TS 119 612 V2.2.1 (2016-04) TECHNICAL SPECIFICATION Electronic Signatures and Infrastructures (ESI); Trusted Lists 2 ETSI TS 119 612 V2.2.1 (2016-04) Reference RTS/ESI-0019612v221 Keywords e-commerce, electronic signature, security, trust services ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice The present document can be downloaded from: http://www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https://portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI.
    [Show full text]
  • Qualified Validation Services for Qualified Electronic Signatures and Qualified Electronic Seals
    Prime minister Agence nationale de la sécurité des systèmes d’information Qualified validation services for qualified electronic signatures and qualified electronic seals Criteria for assessing compliance with the eIDAS regulation Based on French version 1.0 of 3 January 2017 VERSION HISTORY DATE VERSION DOCUMENT CHANGES EDITOR 16/06/2016 0.8 Working version for comments. ANSSI Version for application on 31 January 2017. Amendments: - Details relating to the inclusion into the trusted list; - Amendment to the requirements relating to the preservation of data; - Supplements relating to the verification of time stamp modules; 03/01/2017 1.0 - Modification of the requirements relating to the ANSSI freshness of revocation status information; - Details relating to the verification of the qualified status of the signature certificate or of the seal to the retrieval of the identity of the seal signatory or creator; - Minor modifications and clarifications. Comments on this document should be sent to: Agence nationale de la sécurité des systèmes d’information SGDSN/ANSSI 51 boulevard de La Tour-Maubourg 75700 Paris 07 SP [email protected] Qualified validation services for qualified electronic signatures and qualified electronic seals – Criteria for conformity assessment with the eIDAS regulation Version Date Circulation criterion Page 1.0 03/01/2017 PUBLIC 2/13 CONTENTS I. Introduction .......................................................................................................................................................
    [Show full text]
  • Etsi Tr 119 001 V1.1.1 (2015-07)
    ETSI TR 119 001 V1.1.1 (2015-07) TECHNICAL REPORT Electronic Signatures and Infrastructures (ESI); The framework for standardization of signatures; Definitions and abbreviations 2 ETSI TR 119 001 V1.1.1 (2015-07) Reference DTR/ESI-0019001 Keywords e-commerce, electronic signature, security, trust services ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice The present document can be downloaded from: http://www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: https://portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI.
    [Show full text]
  • As a Leading Trust Service Provider in Europe, We Enable the Most Innovative Digital Business Models
    As a leading trust service provider in Europe, we enable the most innovative digital business models. Swisscom Trust Services makes Mobile ID internationally available with the app version and expands the signature portfolio Mobile ID enables digital expressions of intent using two-factor authentication // Fully integrated signature solution shortens go-to-market from several months to 2-3 weeks Frankfurt, 20th April 2020 - Swisscom Trust Services, the only European provider of a qualified electronic signature in accordance with eIDAS and ZertES, is now offering its Mobile ID authentication solution not only in Switzerland but also internationally in the form of a smartphone app. In contrast to the Swiss market, the Mobile ID app is independent of the SIM card and the mobile network and uses either the biometric functions of the smartphone or the device PIN for authentication if the biometric cap- ture does not work or is not supported by the device. Swisscom Trust Services thus of- fers all components for a qualified electronic signature in accordance with eIDAS from a single source, which in many cases is legally equivalent to a manual signature. "With the expansion of Mobile ID beyond Switzerland, we now offer a complete pack- age for the electronic signature internationally. This enables companies and partners to integrate a complete signature solution into their processes in two to three weeks and thus to digitise themselves more quickly," says Marco Schmid, Head of Interna- tional Expansion Strategy at Swisscom Trust Services. "At the same time, our offer is flexible enough to integrate proprietary identification or authentication solutions ret- rospectively.
    [Show full text]
  • Adobe Sign and Eidas Compliance
    ADOBE SIGN Compliance with European electronic signatures legislation December 2016 TABLE OF CONTENTS 1 Introduction _____________________________________________________________________ 1 2 Regulatory framework _____________________________________________________________ 1 2.1 eIDAS Regulation __________________________________________________________________ 1 2.1.1 Standard electronic signatures ___________________________________________________ 2 2.1.2 Advanced electronic signatures __________________________________________________ 3 2.1.3 Qualified electronic signatures ___________________________________________________ 4 2.2 Validity and enforceability of electronic agreements ________________________________________ 5 3 Compliance assessment of Adobe Sign _______________________________________________ 6 3.1 Description of Adobe Sign ____________________________________________________________ 6 3.2 How Adobe Sign can support eIDAS compliance __________________________________________ 9 3.2.1 Adobe Sign meets the European requirements of standard electronic signatures ____________ 9 3.2.2 Adobe Sign and advanced electronic signatures ____________________________________ 10 3.2.3 Adobe Sign and qualified electronic signatures _____________________________________ 12 4 Conclusion _____________________________________________________________________ 14 5 About the Author ________________________________________________________________ 16 ADOBE SIGN December 2016 DLA Piper 1 INTRODUCTION This white paper assesses the legal effectiveness
    [Show full text]
  • Digital Signatures for Dummies®, Cryptomathic Special Edition
    These materials are © 2017 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited. Digital Signatures Cryptomathic Special Edition by Chris Allen and Steve Marshall These materials are © 2017 John Wiley & Sons, Ltd. Any dissemination, distribution, or unauthorized use is strictly prohibited. Digital Signatures For Dummies®, Cryptomathic Special Edition Published by: John Wiley & Sons, Ltd., The Atrium, Southern Gate Chichester, West Sussex, www.wiley.com © 2017 by John Wiley & Sons, Ltd., Chichester, West Sussex Registered Office John Wiley & Sons, Ltd., The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted by the UK Copyright, Designs and Patents Act 1988, without the prior written permission of the Publisher. For information about how to apply for permission to use the copyright material in this book, please see our website at http://www. wiley.com/go/permissions. Trademarks: Wiley, For Dummies, the Dummies Man logo, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Ltd., is not associated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHOR HAVE USED THEIR BEST EFFORTS IN PREPARING THIS BOOK, THEY MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS BOOK AND SPECIFICALLY DISCLAIM ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
    [Show full text]
  • CP/CPS) for the Certificate Classes „Diamant“ (Regulated/Qualified
    Certificate Policy / Certification Practice Statement (CP/CPS) For the Certificate Classes „Diamant“ (regulated/qualified) and „Saphir“ (advanced) Version: 3.2 Date: April 18, 2018 Swisscom (Switzerland) Ltd. Alte Tiefenaustrasse 6 3050 Bern Document history Version Date Changed by Comments/nature of the change 3.2 18.04.2018 Kerstin Wagner Synchronized with German version 3.2 3.2 18.04.2018 Governance Board Approval ©Swisscom (Switzerland) Ltd. CP/CPS „Diamant“ and „Saphir“ Version 3.2 2/39 Date 18.04.2018 Referenced Documents [ZertES] SR 943.03: Federal Act on Electronic Signatures, ZertES [VZertES] SR 943.032: Ordinance on Certification Services in the area of Electronic Signatures, VZertES [TAV] SR 943.032.1, TAV: Technical and administrative provisions for certification services in the field of electronic signatures [UIDG] Federal Act on the Company Identification Number, UIDG [RFC 3647] IETF RFC 3647: "Internet X.509 Public Key Infrastructure - Certificate Policy and Certification Practices Framework" [RFC 5280] IETF RFC 5280: "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" [CEN/TS 419 241] Security Requirements for Trustworthy Systems supporting Server Signing [ETSI TS 119 312] Electronic Signatures and Infrastructures (ESI); Cryptographic Suites [ETSI EN 319 401] General Policy Requirements for Trust Service Providers [ETSI EN 319 411-1] Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements [ETSI EN 319 411-2] Policy
    [Show full text]
  • Eidas Regulation
    Premier ministre Agence nationale de la sécurité des systèmes d’information eIDAS Regulation Frequently asked questions Based on French Version 1.2 of 25 March 2021 VERSION HISTORY DATE VERSION DOCUMENT CHANGES EDITOR 02/06/2016 1.0 Version for publication. ANSSI Update. Amendments: - Details relating to the notification procedure of electronic identification schemes; 16/01/2019 1.1 ANSSI - Clarifications on the levels of electronic signatures ; - Details relating to the issuance of qualified certificates ; - Precisions relating to the articulation between the eIDAS Regulation and the General Security Baseline; - Addition of the point of contact within ANSSI. Update. 25/03/2021 1.2 ANSSI Amendments: precisions relating to the remote identity proofing of users. Comments on this document should be sent to: Agence nationale de la sécurité des systèmes d’information SGDSN/ANSSI 51 boulevard de La Tour-Maubourg 75700 Paris 07 SP [email protected] [email protected] CONTENTS I. GENERAL QUESTIONS ON THE EIDAS REGULATION........................................................... I.1. What is the eIDAS Regulation?............................................................................................... I.2. What are the subjects covered by the eIDAS Regulation?...................................................... I.3. When the eIDAS Regulation has been published? When it entered into force and when it became applicable?.............................................................................................................
    [Show full text]